From: Gerd Hoffmann <kraxel@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 3/3] ui: fix VNC websockets TLS integration
Date: Tue, 17 Mar 2015 11:50:46 +0100 [thread overview]
Message-ID: <1426589446.27188.67.camel@nilsson.home.kraxel.org> (raw)
In-Reply-To: <20150317102056.GB6540@redhat.com>
Hi,
> The problem is that the VeNCrypt auth scheme is not actally really
> an auth scheme. VeNCrypt is a way to negotiate TLS session on the
> VNC server, and then run one of the traditionl auth schemes over
> that session. When using websockets, we cannot use VeNCrypt because
> the browser websockets client can't do TLS negotigate part way
> through the VNC protocol auth process. It has to have TLS on the
> connection as a whole, hence the VNC websockets server will setup
> TLS during the initial HTTP header phase, before the VNC protocol
> even starts running.
Understood.
> I could have just stuck with the 'auth' & 'subauth' fields in the
> VncDisplay class, and translated them into something else in the
> vnc_client_connect method when setting up VncState, but i figure
> it was clearer to just add a 'ws_auth' field to VncDisplay
> instead and avoid the translation step.
> When I say they are the same, I mean from a high level security
> characteristics, not the low level protocol auth codes.
>
> eg if you -vnc 127.0.0.1:5901,websockets=5902,tls,x509,password
>
> Then for normal VNC server you will get
>
> vs->auth = VNC_AUTH_VENCRYPT
> vs->subauth = VNC_AUTH_VENCRYPT_X509VNC
>
> This gives a TLS handshake, with x509 certificates and the VNC password
> auth scheme.
>
> And for the websockets VNC server you will get
>
> vs->ws_auth = VNC_AUTH_VNC
>
> combined with https:// requirement. This gives a TLS handshake with
> x509 certificates and VNC password auth scheme.
Ok, so there basically is a fixed mapping from auth+subauth to ws_auth
+ws_tls, correct?
I think we should have a function setting ws_auth+ws_tls that way then,
to make clear how this works, with a comment explaining things (which
you can probably largely cut+paste from your mail ;)
> So, yes, the VNC protocol auth numbers are diferent, but the actual
> security characteristics, encryption setup and auth scheme *are*
> identical.
I guess we can live with the current QAPI schema then?
cheers,
Gerd
next prev parent reply other threads:[~2015-03-17 10:50 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-16 12:36 [Qemu-devel] [PATCH 0/3] Misc fixes for VNC Daniel P. Berrange
2015-03-16 12:36 ` [Qemu-devel] [PATCH 1/3] ui: remove unused 'wiremode' variable in VncState struct Daniel P. Berrange
2015-03-16 13:03 ` Alex Bennée
2015-03-16 12:36 ` [Qemu-devel] [PATCH 2/3] ui: replace printf() calls with VNC_DEBUG Daniel P. Berrange
2015-03-16 13:06 ` Alex Bennée
2015-03-16 12:36 ` [Qemu-devel] [PATCH 3/3] ui: fix VNC websockets TLS integration Daniel P. Berrange
2015-03-16 13:17 ` Alex Bennée
2015-03-16 13:35 ` Daniel P. Berrange
2015-03-17 10:59 ` Daniel P. Berrange
2015-03-17 7:36 ` Gerd Hoffmann
2015-03-17 10:20 ` Daniel P. Berrange
2015-03-17 10:50 ` Gerd Hoffmann [this message]
2015-03-17 10:58 ` Daniel P. Berrange
2015-03-17 10:33 ` Daniel P. Berrange
2015-03-17 10:54 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1426589446.27188.67.camel@nilsson.home.kraxel.org \
--to=kraxel@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).